Do Smart Meter Cybersecurity Risks Exist for Australia’s Critical Infrastructure?

How can we accelerate digitisation without of smart meter cybersecurity risks and meanwhile, find adequate time to strengthen smart meter technology, policy and safeguards?

Vast expanses of ageing utility infrastructure is progressively being upgraded with new tech. Since the early 2000’s, smart meters have been mandated by various governments seeking to create more efficient and reliable electricity systems. 

Remotely accessible and connecting the grid to smart home appliances and the internet, smart meters are being implemented across millions of homes as a critical part of Australia’s digital, future grid. So, in light of National Electricity Obligations (NEO), and cyber threats strengthening, what’s being done to address risks to Australia’s critical infrastructure via grid-connected devices such as smart meters?

Australia’s Smart Meter Rollout

Eight years ago, Australian electricity regulators handed the responsibility of our smart meter rollout to energy retailers. Ever since, DNSPs and retailers have been grappling with the implementation of smart meter hardware and supporting infrastructure. This includes communications and customer interfaces to metering data. 

Naturally, the more connected critical infrastructure like our energy network, the more robust cybersecurity protections must be. Yet academics, engineers and hackers continue to uncover outdated protocols, sloppy standards and poor cybersecurity practices used in smart meter rollouts in here and overseas. 

Credit: Sydney Morning Herald:

Image credit: Sydney Morning Herald.

In the meantime, just as has happened in the UK, rollout deadlines have been missed, so the AEMC is applying significant pressure to accelerate Australia’s smart meter rollout. Unfortunately, this only increases likelihood of further slip-ups and cybersecurity risk in the rush to digitise the NEM.

Key smart meter cybersecurity risks: 

  1. Hackers target utilities
  2. Multi-level vulnerabilities exist, from smart home appliance to the grid
  3. Catastrophic potential impacts
  4. Devices are deployed far and wide, and for long periods of time

Smart Meter Cybersecurity Risk Factors

1. Hackers Commonly Target Utilities

Tampering with utility meters is a long-standing problem. Individuals often tamper with devices to score free power. Professional hackers, meanwhile, target utilites because of the potential devastation caused by a wide-scale blackout. Hackers also know that utilities typically have outdated systems vulnerable to attack. 

Indeed, last year, Searchlight Cyber found relevant malware for sale on the dark web. For between just $20 and $2,500, hackers are selling access to operational technology and control systems used by specific energy operators. 

Meanwhile, the capability to remotely connect and disconnect power via smart meters adds to the risk of outages at scale. A 2021 academic study found smart meter switches can be hacked to replicate a problematic load, ‘tripping’ and shutting components of the grid on and off. This instability undermines the integrity of the grid in what’s called an “oscillation attack”, sparking further blackouts across the electricity network. One example of an oscillation attack is the 2015 BlackEnergy malware attack upon 3 of Ukraine’s energy infrastructure. 

2. Risks Increasing the Speed & Scale of a Smart Meter Hack

Hacking electricity networks via smart meters is made easier by poor implementation, standards, and aging infrastructure. 

Indeed, Researchers and Regulators have discovered issues with millions of smart meter implementations. This includes device credentials either hardcoded, uniformly applied or left completely unconfigured across massive implementations. Such poor pairing standards and authentication mechanisms introduce well-known vulnerabilities to millions of homes and businesses, including ‘listening’, outages, and interference with connected smart home devices. 

For example, studies have found a strong signal is enough to trick a poorly-configured smart meter into believing a hacker is a mobile phone tower. Also known as a ‘man in the middle’ attack, the smart meter responds, sending its hacker sensitive data like smart meter ID, passwords, and software protocols. This information can spoof the smart meter and disconnect power to the home, to connected smart home devices, or send fake meter reads to the utility.  

 3. Devices Are Deployed Far, Wide & for Long Periods of Time

With a lifetime of 20-50 years, smart meters must have cyber-security protections relevant in 2050-plus. Thus, smart meters are mandated receive software patches and updates wirelessly via “firmware over the air” (FOTA). 

However, if One uses FOTA to wirelessly fix smart meters on mass, One can also exploit FOTA features to break them. A compromised smart meter becomes a single point of failure, providing hackers access to the grid, households, businesses, and smart home devices. 

4.  Inconsistent Cybersecurity Regulations offer Poor Protections

Most smart meter cybersecurity risks known today and indeed, these outlined here can be minimised with data encryption, network segmentation, and customised credentials. 

In light of risk factors and more aggressive malicious actors, however, Australia’s evolving standards and voluntary annual cybersecurity assessment programs seem inadequate to protect our critical infrastructure. Many industry professionals are concerned that protections aren’t keeping pace with AI-powered malware and the risk of widespread technology debt. 

Accelerating Digitisation of the NEM Without Unnecessary Cybersecurity Risk

Digitisation and smart meters are elemental to more connected smart grids of the future. A time-critical, global demand for data has regulators accelerating smart meter rollouts, risking critical infrastructure. 

How, then, do we accelerate digitisation of our grid, free of cyber risk, while allowing adequate time to strengthen smart meter technology, policy and safeguards?

Digitisation via alternative models is a viable way to achieve digitisation, cost savings and benefits to consumers without unnecessary exposure. Many solutions exist. Transition technologies designed specifically to ease the burden of transiting the energy network to renewables.

SNAPI AI-Powered Meter Reader being installed on an analogue electricity meter.

SNAPI Digitising an ISKRA
Electricity Meter, Safely, in Seconds

SNAPI AI-powered digital meter readers are connected, but protected. That is, devices do not interact with the electricity supply, smart home devices, nor the meter. Rather, SNAPI is opto-isolated from the meter; the device ‘snaps’ on to a meter to instantly remotely “cyber-physically” read consumption data digitally.

Further, SNAPI devices aren’t remotely accessible (with zero FOTA functionality). Meter reading data that’s captured by SNAPI isn’t attributable to a site or address. Rather, a device’s unique identifier and corresponding reading data is all that’s sent to target systems to ensure anonymity. And finally, SNAPI systems are all stored on-soil in Australia.

For more, visit SNAPI FAQs or SNAPI-AU YouTube Channel.

Contact Us